Skip to main content
Lantern Home

 

Splunk Lantern

Integrating SOAR with Azure AD SAML

  1. Last updated
  2. Save as PDF

 

Integrating Splunk SOAR with Azure Active Directory (Azure AD) using SAML provides several key benefits, particularly in terms of security, usability, and centralized identity management. These include:

  • Centralized identity and access management
  • Single sign-on for a better user experience
  • Enhanced security
  • Streamlined user onboarding and offboarding
  • Streamlined integration with other azure services
  • Improved incident response

 
In addition, this integration includes multiple compliance-friendly features, which are valuable additions for organizations seeking to optimize their security operations and ensure secure, scalable access to their SOAR platform.

This article explains how you can set up this integration. 

Solution

Create a non-gallery app for Splunk SOAR

The Azure AD tenant is required for this configuration and the subscription is freely available. Consult with the Azure AD administrator of your organization for assistance. When you have access, complete the following steps.

  1. From the left pane in the directory Overview, click Enterprise applications.
    Screen Shot 2023-03-06 at 11.43.12 am.png
  2. In the main panel, click New application.
    Screen Shot 2023-03-06 at 11.47.31 am.png
  3. Click Create your own application as Splunk SOAR is not part of the Azure AD App Gallery.
    Screen Shot 2023-03-06 at 1.25.37 pm.png
  4. In the window that pops up, name the app in the text box, select the Non-gallery option and click Create.
    Screen Shot 2023-03-06 at 1.43.00 pm.png
  5. The Splunk SOAR app is created and you should be automatically redirected to the app’s Overview page.
    Screen Shot 2023-03-06 at 4.16.14 pm.pngHowever, if you are not automatically redirected, navigate to the Enterprise applications page and the Splunk SOAR app should be available there to click on. You might need to click Refresh to view it.Screen Shot 2023-03-06 at 1.59.20 pm.png

Configure SAML in Azure AD

  1. From the left pane in the app Overview, click Single sign-on. Alternately, you can click the Set up single sign on chiclet on the app’s main panel.
    Screen Shot 2023-03-06 at 4.16.14 pm (1).png
  2. Click the SAML chiclet.
    Screen Shot 2023-03-06 at 4.33.45 pm.png
  3. Under Basic SAML Configuration, click Edit..
    Screen Shot 2023-03-06 at 4.36.31 pm.png
  4. Click Add identifier and Add reply URL to set the required fields from the pop up window.
    Screen Shot 2023-03-06 at 4.41.31 pm.png
  5. Set the following three fields, then click Save to save changes.
    • Identifier (Entity ID). This is a unique ID across the Azure AD to identify the Splunk SOAR app for audience restriction purposes. It can be any name/ID.
    • Reply URL (Assertion Consumer Service URL). This is the ACS URL for SOAR app to receive the authentication token and follows the format of https://<SOAR_INSTANCE_URL>/saml2/callback/login.
    • Sign on URL. This is the URL of the page to be redirected after a login. It is usually the SOAR home page URL.
    Screenshot 2023-03-07 at 11.04.02 am.png

    If you aren't sure what values to use, values for Identifier and Reply URL can be found in SOAR App’s UI by navigating to Administration > User Management > Authentication > SAML2 (switch on SAML2 if that’s not done) > Configuration Info.

    Screen Shot 2023-03-06 at 5.31.13 pm.png
  6. On the Set up Single Sign-On page, click Edit under Attributes & Claims.
    Screenshot 2023-03-07 at 11.07.12 am.png
  7. On the Attributes & Claims page, click Add a group claim.
    Screenshot 2023-03-07 at 12.23.10 pm.png
  8. Set the following values as detailed, then click Save. These settings are used in step 2 in the Create and assign users and groups section. 
    • Security groups. Selecting this value as the Azure AD groups to be created for SOAR users will have the Group type as Security. You can also select All groups if the Group type of the Azure AD group is different.
    • Source attribute. Select Group ID as the values to be assigned to this group claim, which is the Object Id value of the Azure AD group created. This information will make more sense in the Azure AD groups and users creation.
    • Name. Set a custom name for the group claim to be sent in the SAML token, so it can be easily recognizable and configured at in Splunk SOAR.
    Screenshot 2023-03-07 at 12.27.53 pm.png
  9. The newly created group claim is added under Additional claims.
    Screenshot 2023-03-07 at 2.42.00 pm.png
  10. Navigate back to the Set Up Single Sign-On page and take note of values set for following settings. Click the copy icon to copy the full URL to your clipboard.
    • App Federation Metadata Url
    • Login URL
    • Microsoft Entra Identifier
    Screenshot 2025-06-09 at 8.36.50 PM.png
  11. Under SAML Certificates, click Edit.
    Screenshot 2025-06-09 at 8.40.56 PM.png
  12. Under Signing Options, select Sign SAML response and assertion, then click Save.
    Screenshot 2023-03-08 at 11.23.37 am.png

Create and assign users and groups

These steps assume you have already created users and groups in Azure AD. If not, complete that step and then return to this document. Consult with the Azure AD administrator of your organization for assistance.

  1. From the left pane in the app Overview, click Users and groups to validate that your assigned users are available.
    Screenshot 2023-03-07 at 6.14.31 pm.png
  2. The Azure AD free license does not support group assignments. Instead, you can assign individual users to the Splunk SOAR app and find the group these users were assigned to from the Azure home page by going to Azure Active Directory serviceGroupsSplunkAdmins.
    • Object Id. This is the unique ID to identify the Azure AD group, in this case SplunkAdmins group.
    • In the step 8 of the Configure SAML in Azure AD section, you selected Group ID as the source attribute to emit this Object Id as the value for group claim named saml_groups. Similarly, in step 8, you selected Security for the Group type to match the Type value for this group.
    • In the screenshot below, the total and direct members count is shown as 2, because the two users created previously are assigned to this group.
    Screenshot 2023-03-07 at 6.30.15 pm.png

Configure SAML in Splunk SOAR

  1. Log into your Splunk SOAR instance and navigate to AdministrationUser ManagementAuthentication.
    Screenshot 2023-03-07 at 6.56.49 pm.png
  2. Click SAML2 and toggle SAML authentication to ON.
    Screenshot 2023-03-07 at 7.00.20 pm.png
  3. Set the following values in each field:
    • Provider Name. A unique name to identify this SAML2 connection configuration. This same name will show up in the Splunk SOAR login page to initiate the SAML2 authentication.
    • Splunk SOAR Base URL. Users will be redirected to this URL after a successful login, usually SOAR home page URL.
    • Assign the following three settings the values noted from the step 10 of the Configure SAML in Azure AD section.
      • Single-sign-on URL. Login URL
      • Issuer ID. Microsoft Entra Identifier
      • Metadata URL. App Federation Metadata URL

        The Metadata XML doesn't need to be set because the Metadata URL is already configured. Only one of these two needs to be configured with a value. If configuring Metadata XML, you need to download the Federation Metadata XML from the page shown in step 10 of the Configure SAML in Azure AD section, and copy and paste the complete content of the XML file to this field.

    Screenshot 2023-03-07 at 7.22.43 pm.png
  4. Expand the Advanced section and set the following values in each field. Then click Save Changes at the bottom right corner.
    • Response Signed. Select this so that responses coming from the Azure AD need to be signed with a valid certificate, otherwise they will be rejected.
    • Request Signed. Select this so that requests coming from the Azure AD need to be signed with a valid certificate, otherwise they will be rejected.
    • Assertion Signed. Select this so that the SAML assertion sent from the Azure AD needs to be signed with a valid certificate, otherwise it will be rejected.
    • Assign the following two settings the values of the Configure SAML in Azure AD section.
      • EntityID/Audience. This is the Identifier (Entity ID) configured in step 5.
      • Group Key. This is the custom name configured in step 8.
    • (Optional) A Group Delimiter needs to be configured if multiple Object Id values are passed within a single XML element for the saml_groups attribute. This is to identify the individual values separately. It is not required with this Azure AD setup, as the values are passed with separate child XML elements.
      • Group. This is the Object Id of the Azure Group
      • Splunk SOAR Role. This is the SOAR role to be assigned for users from the Azure AD group configured in the group.
    Screenshot 2023-03-10 at 11.00.04 am.png

Next steps

For more tips on setting up your Splunk SOAR deployment to work effectively in your environment, see the content available under SOAR product tips

  • Written by Jerry Zhang, Senior Technical Support Engineer at Splunk
  • and Mark Girguis, Principal Product Specialist at Splunk